Re: [Acme] Enrollment of Wildcard certificates with ACME?

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 30 July 2015 14:48 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6578A1A1B5E for <acme@ietfa.amsl.com>; Thu, 30 Jul 2015 07:48:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.611
X-Spam-Level:
X-Spam-Status: No, score=-2.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nFp4MLt_xEGX for <acme@ietfa.amsl.com>; Thu, 30 Jul 2015 07:47:56 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BB731A1B9E for <acme@ietf.org>; Thu, 30 Jul 2015 07:47:42 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 21641E42B; Tue, 28 Jul 2015 10:47:27 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 8366063AEC; Tue, 28 Jul 2015 10:30:20 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 6EB1063751; Tue, 28 Jul 2015 10:30:20 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Fabio Pietrosanti \(naif\) - lists" <lists@infosecurity.ch>
In-Reply-To: <55B75C58.6080106@infosecurity.ch>
References: <55B75C58.6080106@infosecurity.ch>
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Tue, 28 Jul 2015 10:30:20 -0400
Message-ID: <5648.1438093820@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/IKL_9zK_e8HKbBTs74nOA5vwmg0>
Cc: acme@ietf.org
Subject: Re: [Acme] Enrollment of Wildcard certificates with ACME?
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2015 14:48:03 -0000

Fabio Pietrosanti (naif) - lists <lists@infosecurity.ch>; wrote:
    > within the ACME specification, has been the Enrollment of Wildcard
    > certificate been taken in consideration?

That really seems out of scope.

1) If you have a wildcard certificate, then you don't need to enroll it for
   each machine, you just install it.

2) It seems impossible to validate in HTTPS that you own all of the possible
   (perhaps not yet existing) QNAMES under your label.

I think we need to avoid boiling the ocean here.
Maybe the resulting protocol can be used to keep a wildcard certificate
up-to-date after it is deployed.

    > At Tor2web software project, that require wildcard certificate to be
    > used, we'd really love to integrate automation of certificate setup
    > with ACME/LetsEncrypt.

I can't understand how a wildcard certificate, like, "*.example.com"
could work for tor2web, so maybe you can explain your situation more.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [